Social Engineering: why bother?
October 2015. Second half of the month. New York Post was the first to publish the event. Several other information vehicles, such as the Guardian, CNN, Forbes and Wired, soon told their own versions of the story.
After discovering that John Brennan, then CIA director, was a customer of Verizon, a group of crackers, some still in high school, managed to trick company employees into obtaining personal data from the man.
Shortly thereafter, knowing that Brennan's personal email was from AOL, they contacted the company and, using the stolen Verizon information, coerced the email provider's employees to reset the account password. The damage was done.
While the success of the invasion of John Brennan's personal email account is debatable, there is evidence to suggest that the crackers did manage to do so.
If the head of the world's most prominent intelligence agency is susceptible to attacks of this nature, what about us?
Ordinary people
Unfortunately, social engineering attacks do not only affect strategic positions in distant countries. The damage is very democratic.
If we just look at phishing (a very common social engineering attack, which consists of forcing people to click on misleading links in order to expose insider information), we see that in 2016, according to Kaspersky Lab, 27.61% of the total global number of such attacks happened in Brazil, and Kaspersky's customer anti-phishing system was triggered almost 155 million times a year worldwide.
IsYourDataSafe.com attests that the stolen information market moved more than 143 billion dollars in 2013. Another source, the Ponemon Institute, claims that the average annual cost, among companies with more than 10,000 employees, to contain phishing attacks that have compromised employee credentials, is more than $380,000.
Therefore, social engineering is a real problem, a plentiful source of financial loss and dishonest profit.
But, after all, what exactly is social engineering?
Definitions
In the book Unmasking the Social Engineer, from Wiley, Christopher Hadnagy defines social engineering like this (adapted):
Any act that influences a person to take an action that may or may not be in their best interest.
According to this definition, directly influencing a person to perform any action is what defines social engineering. The concept is very broad: for example, a large-sized dog, barking and running obstinately towards an unhappy poor man, leading him to run desperately in his own defense, can be classified as social engineering. In this case, the frightened individual would be coerced to execute an action in his own interest.
Even a newborn child, through crying, influences the parents to perform actions and is influenced by them in various ways. Social engineering, therefore, would be a natural thing. It is interesting to note that this definition assumes that the social engineer is an active entity in what concerns to influencing the actions of others.
Another possible and less generic definition is that of the book Introduction to Hacking and Invasion Tests, by Patrick Engebretson, published in Brazil by Novatec, which defines social engineering as such (adapted):
It is the process of exploiting the "human" weaknesses inherent in every organization, with the aim of getting an employee to disclose confidential information.
Here the concepts of human resources and organization already appear. The social engineer would exploit the human nature of an organization to obtain privileged information. However, note that the definition does not make explicit the need for active influence. The social engineer would only benefit from human weaknesses. What are these weaknesses? The next definition clarifies this point.
This is from Udemy's online course CompTIA Security+ Certification SYO-401 (transcript):
Exploiting the trusting nature of people to gather information or access.
This third definition makes it clear that the weakness exploited by the social engineer is the innate confidence of people. Moreover, it goes beyond saying that the social engineer wants to obtain information, expanding the objective to obtain access and, again, does not mention the need for active influence.
Based on the three definitions presented here, I may dare to enunciate my own definition of social engineering:
To coerce people to perform actions or to take advantage of freely performed actions in order to gain access to information or private areas, whether physical or virtual.
As a result, I can contemplate both attacks based on active influence, such as phishing, as well as attacks such as dumpster diving, of a passive nature with respect to influence over people, and also both physical and digital information and access.
Fleeing the definition now, in what ways can a social engineer effectively act? Unfortunately, the real instances of social engineering are diverse.
Attacks
Let us suppose the existence of two characters: Hansel and Gretel. Both work in a multinational company. Their profiles are very different. Hansel lives in all sorts of tricks. He is a con man and is dissatisfied with the corporation. Gretel, on the other hand, is a sweet person and an exemplary employee.
At the height of his dissatisfaction, Hansel decides to attack the company and, despite not having the necessary technical knowledge to conduct an electronic attack, he is very "good at talking" and knows the institution reasonably well. Below, four possible "stories" of Hansel's attack are told. All the attacks described are based on social engineering.
Tailgating
Hansel knows that in a restricted area of the company there is information that would earn him a few thousand dollars on the ilegal market. The problem is that he doesn't have the level of privilege necessary to enter the area: his badge "won't pass".
So he stands next to the door, waiting for a person with a foolish face. Gretel, who works exactly in the said area and had gone out to get a cup of latte, approaches Hansel in the hallway and, amidst a nice smile, wishes our rascal the most musical "good morning". The perfect victim.
Hansel, after returning with an even more musical "good morning", throws a soft conversation to the smiling girl. Amidst jokes and smiles, he says he forgot his badge and asks if Gretel would be so kind as to let him in with her. She, very helpful, says "yes, of course" and does so. A tailgating attack is just done.
Tailgating is to improperly enter areas in which the access is restricted, exploiting the goodwill of people who have legitimate access. By the way, the attacker doesn't even need to exploit the performance of third parties: he can take advantage of the fraction of a second before the closing of a controlled door to pass through it. Of course, this would be much more suspicious, if found out.
Dumpster diving
Tuesday. 05:30 p. m. It's about time to Gretel leave. She needed to go to the bank before 6:00 p.m. in order to pay a bill. It was the last day she could pay it. Because of that, she didn't waste time crushing the drafts of a confidential document she had written earlier. She simply crumpled the papers before throwing everything in the trash and leaving.
Wednesday. John, the janitor, throws away a bag of used paper around 9 a.m., as usual, depositing it in a waste bin next to the company building. A cunning Hansel knows about this habit of the methodical janitor. At about 9:15, he went down to the gate and, taking advantage of the time when there was no one in the parking lot, he collected the bag and placed it in the spacious trunk of his car.
Later, already at home, mining the material taken from the garbage bag, he finds a portion of crumpled copies of a confidential document, which someone had thrown away without shredding. Examining further the contents of the papers, he discovers that they contain (bingo!) temporary network credentials with a high level of privilege, to be made available to consultants who would provide a service to the corporation in a few days' time.
It couldn't be simpler: dumpster diving consists of looking in the garbage for inappropriately discarded privileged information.
Shoulder surfing
Hansel knows that Gretel has access to a certain system. For hideous reasons, he also wants to have access to it. The point is that there are no reasonable grounds for the access granting staff to approve it. In addition, accessing the system with someone else's credentials would greatly facilitate the task of masking the fraud that he might want to commit.
After discovering that Gretel is a sweet person, he approaches her at a time when she doesn't seem to be too busy and, between smiles and lies, asks her to be kind enough to check something for him in the system. Not wanting to disappoint the nice interlocutor, Gretel immediately does that and starts typing her credentials to login to that system.
Hansel, incredibly discreet and astute, memorizes the credentials that the girl types. After she presents what he has asked for, he thanks her politely and leaves. Success. Later, he would use the stolen credentials to authenticate himself as if he were Gretel.
As the example describes, shoulder surfing attacks consist of obtaining confidential information by "spying" on what the victim is doing on the computer.
Impersonation
"Good morning, are you Gretel?" asks the man in a suit, leaning slightly forward, arms leaning on each other, as if crossed, on the wall of the desk. Gretel says, "Yes, it’s me”. The man identifies himself: he is Daniel, the purchasing supervisor. He had come to speak directly to Gretel because he needed urgent information. He was closing the necessary documentation for the audit that was going to take place on Monday and some values, just the ones Gretel had declared, were not looking right.
He asks if Gretel could open the SAP to see, alongside him, what values should actually be declared. Surely the girl had made a mistake. Gretel, not wanting to impair the audit, readily agrees with the circumspect supervisor and asks him to sit next to her and check the values. Together they do the calculations, the man writes down the information he needs, thanks her, takes the coffee that Gretel offers to him, hurries, and then leaves. Success.
Hansel, our talented social engineer, had passed himself off as Daniel, purchasing supervisor, to obtain privileged information. Impersonation consists of posing as another person to obtain advantages, often by forging urgent situations or putting some pressure on the victim.
Several other types of attacks make up the social engineer's arsenal, such as phishing, hoaxing, whaling, water holing, etc. Attacks of this nature are commonly linked to the helpfulness and innate trust of the victims and also to some knowledge of internal processes. Social interaction, almost always, is a key element in conducting a successful social engineering attack.
Although physical security countermeasures are the most evident in combating social engineering, user education is undoubtedly the way to corporate success in what concerns to information security. As a matter of fact, it is currently essential that domestic users also have knowledge in Cybersecurity. Cybercrime is everywhere and its main "competitive advantage" today is the misinformation of the general public.
Meet Hacker Rangers and create a cybersecurity culture in your organization.
The installation of electronic surveillance equipment can inhibit the social interaction necessary to conduct an impersonation attack and/or shoulder surfing, the use of mantraps can be a good idea in tailgating prevention, and similarly, garbage disposal equipment placed in the sectors of a corporation can help prevent dumpster diving, but none of this will work if the employee is not prepared to make proper use of all these tools.
When it comes to security, more than educating the user, a successful corporation in this regard is an organization where there is a culture of information security. This is something extremely difficult to achieve, simply because it meets the intrinsic trust we have in each other. Therefore, using gamification and empowering users so that they are recognized and treated as part of the solution can be an excellent strategy to implement a cybersecurity culture in your organization.
Translated from: https://www.perallis.com/news/engenharia-social-por-que-se-importar
